Microsoft releases an IIS bug security alert that causes 100 percent spikes in CPU usage

Microsoft Publishes

Microsoft releases updates to fix bugs that froze systems when HTTP / 2 requests are handled by IIS.

The Microsoft Security Response Center yesterday published a security advisory on the issue of denial of service (DOS) affecting Microsoft’s web server technology, IIS (Internet Information Services).

HTTP / 2 is the latest version of the HTTP protocol, which supports what is known as the World Wide Web (www), a part of the Internet accessible to regular users in their browsers.

Microsoft says that there are circumstances in which IIS servers can spike to 100 percent using HTTP / 2 requests, blocking or slowing the entire system effectively.

The problem was discovered by software engineer Gal Goldshtein with F5 Networks. In addition to Microsoft’s ADV190005 security advisory, no other public information on this vulnerability is available.

Microsoft described the problem in its advisory as follows:

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”

The Redmond – based OS maker addressed the problem by adding the ability to define thresholds for the number of SETTINGS parameters included in the HTTP / 2, which could be handled by an IIS server.

Cumulative updates to the IIS DOS bug were released two days ago: KB4487006, KB4487011, KB4487021 and KB4487029.

Once the updates have been applied, IIS administrators can customize the threshold for HTTP / 2 SETTINGS and prevent the bug from freezing IIS web services.
“The IIS administrator must define the thresholds,” the company said, “they are not set by Microsoft.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.